The Internet takes an important role in our society nowadays. It has changed the traditional communication to a higher level and has a great impact on our daily life. Everyone, from children to the elders, almost has at least one digital device that can be connected to the Internet. Thereby, they can contact with the others, share information as well as make online transactions easily and quickly.
However, besides many benefits that the Internet brings, it also has many potential risks for users if they do not know how to take precautions. By taking advantage of the Internet’s loopholes, blackhat hackers can gain unauthorized access to systems such as websites, intranets, devices and applications for eavesdropping, data theft and blackmail, which harmful to banks, businesses and governments. According to CERT statistics (February, 2009), “a mere 171 vulnerabilities were reported in 1995 but increased to 7236 in 2007. Already, that number has increased in the third quarter of 2008 to 6058.” (Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions, 2013). Specifically, Distributed Denial of Service (DDoS) attack is the method which is used widely by hackers and it has became one of the most threat in cyber world in the 21th century.
To minimize the DDoS attacks influence, the most urgent thing now is to research and develop detection and defense mechanisms. Although there have been many published techniques before, they have not really met the performance expectations of users in the background of the developing of Internet and attackes always improve their malicious systems. The risk of DDoS attacks has been moving up to a higher level year over years; however, thanks to the development of computers, a large number of methods for detecting and defending DDoS attacks have been released. The contribution of this paper is divided into four sections. Section 1 describes the overview of DDoS attack. Section 2 classifies some popular detection algorithms that has been applied most in recent 10 years. Section 3 presents many defense mechanisms and the last section discusses about opened issues and challenges for users in the near future.
1. DDoS attack overview.
DDoS is a form of attack where the target is systems for servers to co-ordinate at the same time to overflow resources and bandwidth, thereby causing it to reject user services. To accomplish this, hackers need to set up a system of computers linked together to create a large enough traffic that can deny the service of system users. The purpose of this work is that attackers will discover the weaknesses of the servers and take advantage of these vulnerabilities to gain access to the system, from that they can make a premise to perform other attacks at a higher level. Typically, after capturing the administration, attackers will set up malicious tools on their servers and then control illegal works on the Internet under information of the victims which cannot be traced. Furthermore, after exhausting all resources of users, attackers will reuse these systems to expand their network to create a greater traffic.
In general, DDoS attacks can be divided into two types: direct attacks and reflection attacks. In a direct attack, attackers will send commands directly to the server, then it will forward to the victim’s machine to create a large traffic that will deny the access of users. A reflection attacks is more advanced than the previous one because it creates some reflectors and sends commands to users, then they feel that they have asked to execute these instructions by themselves without knowing that they are being attacked by hackers. The implementation of these attacks can be explained by two reasons depending on its scope and importance. The direct cause is often found in small areas of computers, these attacks are for the personal purposes of attackers who want to revenge or to be recognized and respected by the hacker community. However, there exists an underlying cause that many companies hire hackers to perform DDoS attacks to collect material from their opponents. Seriously, many countries can apply this type of attacks against their enemies for the political reasons. In most cases, the victim computer is not the real target of this attack, it is just an object which has been chosen to hide the crimes behind.
2. DDoS attack detection methods that has been applied most in recent 10 years.
3. Analyzing well-known defense mechanisms against DDoS attacks.
4. Opened issues and challenges for users in the near future.
Many detection and defense mechanisms of DDoS attacks have been researched and presented before. However, most of them has stopped at the theories, only a few methods are applied in reality and actually bring efficiency to users. The design and operation of a dedicated system to completely prevent DDoS attacks is one of the most difficult tasks that requires network security engineers must have deeply knowledge and work with it for a long time. The major challenges that all DDoS prevention mechanisms must overcome will be discussed below.
(i) The characteristic of DDoS attacks is that attackers will use a large network of computers to simultaneously attack the victim’s system. Thus, it only takes a few second to pass and occupy all resources and bandwidth. This is much faster than the speed that a normal mechanism can detect an attack. The situation is still not positive if the clients use a faster detection program because it usually consumes a large amounts of energy and must handle with processes at a high speed. This will lead to the lack of accuracy in the results. Therefore, the processing speed as well as the accuracy of detection mechanisms are big challenges for cyber security nowadays. If they do not work smoothly, many other mechanisms will also be affected and cause a more serious consequences.
(ii) With the continuing development of the Internet, attackers has planned many conspiracies more carefully. Hence, obsolete defense systems cannot cope with modern attacks. The defense mechanism is built based on many attacks in the past, so the downside is that it can only identify well-known attacks, which means that new atttacks can be easily bypassed. Therefore, the requirement for security experts is to develop a mechanism that combines the ablity to detect both known and unknown DDoS attacks.
(iii) Analysis of high-speed traffic to detect DDoS attacks is an extremely challenging mission. Sometimes multiple commands are requested by users at the same time which lead to a traffic congestion, this situation is the same as DDoS attacks. However, defense mechanisms cannot distinguish them correctly so they can inadvertently cause errors to the computers. These mechanisms may never be completed due to the high cost and the need to deal with a lot of input data, which can slow down the detection rate or can cause harmful incidents in many emtreme cases.